平台
wordpress
组件
wpdiscuz
修复版本
7.6.47
CVE-2026-22215 is a cross-site request forgery (CSRF) vulnerability discovered in the wpDiscuz plugin for WordPress. This flaw allows attackers to trigger unauthorized actions, specifically manipulating user follow relationships, without proper nonce validation. The vulnerability affects versions of wpDiscuz prior to 7.6.47, and a patch is available in version 7.6.47.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to manipulate user follow data within the wpDiscuz plugin. An attacker could craft malicious requests to add or remove users from follow lists, potentially impacting the plugin's social features and user experience. While the vulnerability doesn't directly lead to data exfiltration or system compromise, it can be leveraged to disrupt the plugin's functionality and potentially be chained with other vulnerabilities for more severe consequences. The lack of CSRF protection in the getFollowsPage() function is the root cause, allowing attackers to forge requests as if they originated from an authenticated user.
CVE-2026-22215 was publicly disclosed on 2026-03-13. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is currently pending evaluation. It is not listed on the CISA KEV catalog.
Websites utilizing the wpDiscuz plugin, particularly those with active user communities and social features, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches.
• wordpress / composer / npm:
grep -r "getFollowsPage()" /var/www/html/wp-content/plugins/wpdiscuz/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wpdiscuz/getFollowsPage.php | grep -i 'server'disclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2026-22215 is to immediately upgrade the wpDiscuz plugin to version 7.6.47 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter requests to the getFollowsPage() endpoint, specifically looking for missing or invalid CSRF tokens. Additionally, ensure that all users are educated about the risks of clicking on suspicious links or visiting untrusted websites, as this can facilitate CSRF attacks. After upgrading, verify the fix by attempting to trigger a follow action via a crafted URL and confirming that it requires authentication.
将 wpDiscuz 插件更新到 7.6.47 或更高版本。此版本修复了 getFollowsPage() 函数中的 CSRF 漏洞。可以通过 WordPress 管理面板的插件部分进行更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-22215 is a cross-site request forgery (CSRF) vulnerability affecting wpDiscuz versions 0–7.6.47, allowing attackers to manipulate user follow data.
You are affected if you are using wpDiscuz version 7.6.47 or earlier. Upgrade to 7.6.47 to mitigate the risk.
Upgrade the wpDiscuz plugin to version 7.6.47 or later. As a temporary workaround, implement a WAF rule to filter requests to the vulnerable endpoint.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official wpDiscuz website or WordPress plugin repository for the latest security advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。